Date: Thu, 20 Dec 2012 15:41:17 +0000 (UTC) From: Paul Schmehl <pauls@utdallas.edu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/174592: security/sguil-sensor, port update Message-ID: <20121220154117.B36A3DCA82A@buttercup4.utdallas.edu> Resent-Message-ID: <201212201550.qBKFo0HD070367@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 174592 >Category: ports >Synopsis: security/sguil-sensor, port update >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Dec 20 15:50:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Paul Schmehl >Release: FreeBSD 8.3-STABLE amd64 >Organization: The University of Texas at Dallas >Environment: System: FreeBSD hostname.utdallas.edu 8.3-STABLE FreeBSD 8.3-STABLE #2 r243378M: Wed Nov 21 22:16:38 UTC 2012 root@hostname.utdallas.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: security/sguil-sensor, update port to version 0.8.0 update to new OPTIONS framework and add LICENSE >How-To-Repeat: >Fix: --- sguil-sensor.diff begins here --- Index: Makefile =================================================================== --- Makefile (revision 309313) +++ Makefile (working copy) @@ -6,8 +6,7 @@ # PORTNAME= sguil-sensor -PORTVERSION= 0.7.0 -PORTREVISION= 3 +PORTVERSION= 0.8.0 CATEGORIES= security MASTER_SITES= SF/sguil/sguil/sguil-${PORTVERSION} @@ -15,104 +14,108 @@ COMMENT= Sguil is a network security monitoring program LIB_DEPENDS= tls:${PORTSDIR}/devel/tcltls -RUN_DEPENDS= snort:${PORTSDIR}/security/snort \ - barnyard2:${PORTSDIR}/security/barnyard2 \ +RUN_DEPENDS= barnyard2:${PORTSDIR}/security/barnyard2-sguil \ ${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX -OPTIONS= SANCP "Include sancp sensor" off \ - PADS "Include pads sensor" off +OPTIONS_DEFINE= PADS SANCP +PADS_DESC= Include pads sensor +SANCP_DESC= Include sancp sensor +LICENSE_NAME= QPLv1.0 +LICENSE_FILE= ${WRKSRC}/doc/LICENSE.QPL +LICENSE_PERMS= auto-accept + NO_BUILD= yes -USE_RC_SUBR= example_agent pcap_agent snort_agent -TCLSH_CMD?= tclsh8.4 +USE_RC_SUBR= pcap_agent snort_agent +TCL_VER= 8.5 +TCLSH= tclsh${TCL_VER} WRKSRC= ${WRKDIR}/sguil-${PORTVERSION} -SUB_LIST= SGUILDIR=${SGUILDIR} +PATCH_WRKSRC= ${WRKSRC}/sensor +SGUILDIR?= sguil-sensor +SUB_LIST= SGUILDIR=${SGUILDIR} TCLSH=${TCLSH} SUB_FILES= pkg-message PLIST_SUB= SGUILDIR=${SGUILDIR} -SGUILDIR?= sguil-sensor -AGENTS= example_agent.tcl pads_agent.tcl pcap_agent.tcl sancp_agent.tcl snort_agent.tcl +AGENTS= pcap_agent.tcl snort_agent.tcl +CONFS= pcap_agent.conf snort_agent.conf +LOG_SCRIPTS= log_packets-daemonlogger.sh log_packets.sh +WITH_PCRE= true -PORTDOCS= CHANGES FAQ INSTALL INSTALL.openbsd LICENSE.QPL \ - OPENSSL.README TODO UPGRADE USAGE sguildb.dia +PORTDOCS1= README +PORTDOCS2= README.daemonlogger +PORTDOCS3= CHANGES FAQ INSTALL INSTALL.openbsd OPENSSL.README \ + TODO UPGRADE USAGE sguildb.dia -.include <bsd.port.pre.mk> +.include <bsd.port.options.mk> -WITH_PCRE= true - -.if defined(WITH_SANCP) +.if ${PORT_OPTIONS:MSANCP} +AGENTS+= sancp_agent.tcl pcap_agent-sancp.tcl +CONFS+= sancp_agent.conf sancp-indexed.conf pcap_agent-sancp.conf RUN_DEPENDS+= sancp:${PORTSDIR}/security/sancp -USE_RC_SUBR+= sancp_agent -PLIST_SUB+= USESANCP= +USE_RC_SUBR+= sancp_agent pcap_agent-sancp +PLIST_SUB+= USESANCP="" .else PLIST_SUB+= USESANCP="@comment " .endif -.if defined(WITH_PADS) +.if ${PORT_OPTIONS:MPADS} +AGENTS+= pads_agent.tcl +CONFS+= pads_agent.conf RUN_DEPENDS+= pads:${PORTSDIR}/net-mgmt/pads USE_RC_SUBR+= pads_agent -PLIST_SUB+= USEPADS= +PLIST_SUB+= USEPADS="" .else PLIST_SUB+= USEPADS="@comment " .endif post-patch: .for f in ${AGENTS} - @${REINPLACE_CMD} -e 's:exec tclsh:exec ${PREFIX}/bin/${TCLSH_CMD}:g' \ + @${REINPLACE_CMD} 's|/bin/sh|${PREFIX}/bin/${TCLSH}|' \ ${WRKSRC}/sensor/${f} - @${REINPLACE_CMD} -e 's:/etc/:${PREFIX}/etc/${SGUILDIR}/:g' \ - ${WRKSRC}/sensor/${f} .endfor do-install: @${MKDIR} ${PREFIX}/bin/${SGUILDIR} @${MKDIR} ${PREFIX}/etc/${SGUILDIR} -.for f in example_agent.tcl pcap_agent.tcl snort_agent.tcl + @${MKDIR} ${PREFIX}/share/${SGUILDIR} + @${MKDIR} ${PREFIX}/share/${SGUILDIR}/contrib + @${MKDIR} ${PREFIX}/share/${SGUILDIR}/init + (cd ${WRKSRC}/sensor/contrib && ${COPYTREE_SHARE} \* ${PREFIX}/share/${SGUILDIR}/contrib "! -name ossec_agent.tcl.orig") + (cd ${WRKSRC}/sensor/init && ${COPYTREE_SHARE} \* ${PREFIX}/share/${SGUILDIR}/init) +.for f in ${AGENTS} ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \ ${PREFIX}/bin/${SGUILDIR}/${f} .endfor -.for f in log_packets.sh +.for f in ${LOG_SCRIPTS} ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \ ${PREFIX}/bin/${SGUILDIR}/${f} .endfor -.for f in example_agent.conf pcap_agent.conf snort_agent.conf +.for f in ${CONFS} ${INSTALL_DATA} ${WRKSRC}/sensor/${f} \ ${PREFIX}/etc/${SGUILDIR}/${f}-sample .endfor -.for f in log_packets.conf - ${INSTALL_DATA} ${FILESDIR}/${f} \ - ${PREFIX}/etc/${SGUILDIR}/${f}-sample +.if ${PORT_OPTIONS:MSANCP} +.for f in log_packets-sancp.sh + ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \ + ${PREFIX}/bin/${SGUILDIR}/${f} .endfor -.if defined(WITH_SANCP) -.for f in sancp_agent.conf - ${INSTALL_DATA} ${WRKSRC}/sensor/${f} \ - ${PREFIX}/etc/${SGUILDIR}/${f}-sample -.endfor .for f in sancp.conf ${INSTALL_DATA} ${WRKSRC}/sensor/sancp/${f} \ - ${PREFIX}/etc/${f}-sample -.endfor -.for f in sancp_agent.tcl - ${INSTALL_SCRIPT} ${WRKSRC}/sensor/${f} \ - ${PREFIX}/bin/${SGUILDIR}/${f} -.endfor -.endif -.if defined(WITH_PADS) -.for f in pads_agent.conf - ${INSTALL_DATA} ${WRKSRC}/sensor/${f} \ ${PREFIX}/etc/${SGUILDIR}/${f}-sample .endfor -.for f in pads_agent.tcl - ${INSTALL_SCRIPT} ${WRKSRC}/sensor/${f} \ - ${PREFIX}/bin/${SGUILDIR}/${f} -.endfor .endif post-install: -.if !defined(NOPORTDOCS) +.if ${PORT_OPTIONS:MDOCS} @${MKDIR} ${DOCSDIR} - cd ${WRKSRC}/doc && ${INSTALL_DATA} \ - ${PORTDOCS} ${DOCSDIR} + cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS1} ${DOCSDIR} + cd ${WRKSRC}/sensor && ${INSTALL_DATA} ${PORTDOCS2} ${DOCSDIR} + cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS3} ${DOCSDIR} +.if ${PORT_OPTIONS:MSANCP} +.for f in README.sancp_indexed_pcap + cd ${WRKSRC}/sensor && ${INSTALL_DATA} ${f} ${DOCSDIR} +.endfor .endif +.endif @${CAT} ${PKGMESSAGE} -.include <bsd.port.post.mk> +.include <bsd.port.mk> Index: distinfo =================================================================== --- distinfo (revision 309313) +++ distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (sguil-sensor-0.7.0.tar.gz) = c6f08b031df9de942fc38b35a4bfc7db13357e61b7290b526bad66fcbe3e4f3b -SIZE (sguil-sensor-0.7.0.tar.gz) = 68436 +SHA256 (sguil-sensor-0.8.0.tar.gz) = aa4617c4f9cf1d598c6d728afed50cd6f90dc5d1516a6eda8126401b7bba4be5 +SIZE (sguil-sensor-0.8.0.tar.gz) = 142829 Index: files/example_agent.in =================================================================== --- files/example_agent.in (revision 309313) +++ files/example_agent.in (working copy) @@ -1,34 +0,0 @@ -#!/bin/sh - -# $FreeBSD$ - -# PROVIDE: example_agent -# REQUIRE: DAEMON -# KEYWORD: shutdown - -# Add the following line to /etc/rc.conf to enable example_agent: -# example_agent_enable (bool): Set to YES to enable example_agent -# Default: NO -# example_agent_conf (str): Example_agent configuration file -# Default: %%PREFIX%%/etc/%%SGUILDIR%%/example_agent.conf -# example_agent_flags (str): Default: -D -# - -. /etc/rc.subr - -load_rc_config example_agent - -#set defaults -example_agent_enable=${example_agent_enable:-"NO"} -example_agent_conf=${example_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/example_agent.conf"} -example_agent_flags=${example_agent_flags:-"-D"} - -name="example_agent" -rcvar=example_agent_enable -command="%%PREFIX%%/bin/%%SGUILDIR%%/example_agent.tcl" -command_args="-c ${example_agent_conf} ${example_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" -pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" - -run_rc_command "$1" Index: files/log_packets.conf =================================================================== --- files/log_packets.conf (revision 309313) +++ files/log_packets.conf (working copy) @@ -1,35 +0,0 @@ -# Conf file for the log_packets script -# Make sure you verify the location of -# each of the binaries on your OS - -# Edit these for your setup - -# Sensors hostname. -# Note: If running multiple snort instances, then this must be different -# for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc) -HOSTNAME="myhost" -# Path to snort binary -SNORT_PATH="/usr/local/bin/snort" -# Directory to log pcap data to (date dirs will be created in here) -# Note: The path $HOSTNAME/dailylogs, will be appended to this. -LOG_DIR="/snort_data" -# Percentage of disk to try and maintain -MAX_DISK_USE=90 -# Interface to 'listen' to. -INTERFACE="eth0" -# Other options to use when starting snort -#OPTIONS="-u sguil -g sguil -m 122" -# Where to store the pid -PIDFILE="/var/run/snort_log-${HOSTNAME}.pid" -# How do we run ps -PS="ps awx" -# Where is grep -GREP="/usr/bin/grep" -#Add BPFs here. -#The below is an example of a filter for ignoring outbound HTTP from my network -# to the world. -#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)' - -#Some installs may need these -#LD_LIBRARY_PATH=/usr/local/lib/mysql -#export LD_LIBRARY_PATH Index: files/pads_agent.in =================================================================== --- files/pads_agent.in (revision 309313) +++ files/pads_agent.in (working copy) @@ -16,19 +16,51 @@ . /etc/rc.subr -load_rc_config pads_agent +name="pads_agent" +rcvar=${name}_enable +load_rc_config ${name} #set defaults -pads_agent_enable=${pads_agent_enable:-"NO"} -pads_agent_conf=${pads_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/pads_agent.conf"} -pads_agent_flags=${pads_agent_flags:-"-D"} +: ${pads_agent_enable:="NO"} +: ${pads_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pads_agent.conf"} +: ${pads_agent_flags:="-D -c ${pads_agent_conf}"} -name="pads_agent" -rcvar=pads_agent_enable command="%%PREFIX%%/bin/%%SGUILDIR%%/pads_agent.tcl" -command_args="-c ${pads_agent_conf} ${pads_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" +procname="%%PREFIX%%/bin/%%TCLSH%%" pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" +start_precmd="pads_agent_ck4fifo" +stop_postcmd="pads_agent_rmfifo" + +pads_agent_ck4fifo() +{ + LOG_DIR=`grep "LOG_DIR " ${pads_agent_conf} | awk '{print $3}'` + HOSTNAME=`grep "HOSTNAME " ${pads_agent_conf} | awk '{print $3}'` + PADS_FIFO=${LOG_DIR}/${HOSTNAME}/pads.fifo + + if [ ! -p ${PADS_FIFO} ]; then + echo "${PADS_FIFO} does not exist. Creating now....." + /usr/bin/mkfifo ${PADS_FIFO} + fi + echo "Checking for ${PADS_FIFO}...." + if [ -p ${PADS_FIFO} ]; then + echo "Confirmed! ${PADS_FIFO} exists." + else + echo "I tried to create ${PADS_FIFO} and failed." + echo "You will need to create it manually before starting ${name}." + fi +} + +pads_agent_rmfifo() +{ + LOG_DIR=`grep "LOG_DIR " ${pads_agent_conf} | awk '{print $3}'` + HOSTNAME=`grep "HOSTNAME " ${pads_agent_conf} | awk '{print $3}'` + PADS_FIFO=${LOG_DIR}/${HOSTNAME}/pads.fifo + + if [ -p ${PADS_FIFO} ]; then + /bin/rm ${PADS_FIFO} + echo "Removing ${PADS_FIFO}...." + fi +} + run_rc_command "$1" Index: files/patch-log_packets.sh =================================================================== --- files/patch-log_packets.sh (revision 309313) +++ files/patch-log_packets.sh (working copy) @@ -1,50 +0,0 @@ ---- sensor/log_packets.sh.orig 2008-04-03 22:16:22.000000000 -0500 -+++ sensor/log_packets.sh 2008-04-03 22:22:20.000000000 -0500 -@@ -22,38 +22,16 @@ - # # - ############################################################## - -+# You shouldn't need to edit anything in this script - --# Edit these for your setup -- --# Sensors hostname. --# Note: If running multiple snort instances, then this must be different --# for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc) --HOSTNAME="myhost" --# Path to snort binary --SNORT_PATH="/usr/local/bin/snort" --# Directory to log pcap data to (date dirs will be created in here) --# Note: The path $HOSTNAME/dailylogs, will be appended to this. --LOG_DIR="/snort_data" --# Percentage of disk to try and maintain --MAX_DISK_USE=90 --# Interface to 'listen' to. --INTERFACE="eth0" --# Other options to use when starting snort --#OPTIONS="-u sguil -g sguil -m 122" --# Where to store the pid --PIDFILE="/var/run/snort_log-${HOSTNAME}.pid" --# How do we run ps --PS="ps awx" --# Where is grep --GREP="/usr/bin/grep" --#Add BPFs here. --#The below is an example of a filter for ignoring outbound HTTP from my network --# to the world. --#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)' -- --#Some installs may need these --#LD_LIBRARY_PATH=/usr/local/lib/mysql --#export LD_LIBRARY_PATH -+CONF=/usr/local/etc/sguil-sensor/log_packets.conf -+if [ -r ${CONF} ]; then -+ . ${CONF} -+else -+ echo "Your conf file is either missing or the path " -+ echo "in the log_packets.sh script is incorrect." -+ exit 1 -+fi - - TZ=GMT - export TZ Index: files/patch-ossec_agent.tcl =================================================================== --- files/patch-ossec_agent.tcl (revision 0) +++ files/patch-ossec_agent.tcl (working copy) @@ -0,0 +1,30 @@ +--- contrib/ossec_agent/ossec_agent.tcl.orig 2012-12-17 22:47:18.000000000 +0000 ++++ contrib/ossec_agent/ossec_agent.tcl 2012-12-17 22:48:45.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # OSSEC agent for Sguil 0.7.0. Based on the "example_agent.tcl" code + # distributed with sguil. +@@ -593,9 +591,9 @@ + if { ![info exists CONF_FILE] } { + + # No conf file specified check the defaults +- if { [file exists /etc/ossec_agent.conf] } { ++ if { [file exists /usr/local/etc/sguil-sensor/ossec_agent.conf] } { + +- set CONF_FILE /etc/ossec_agent.conf ++ set CONF_FILE /usr/local/etc/sguil-sensor/ossec_agent.conf + + } elseif { [file exists ./ossec_agent.conf] } { + +@@ -604,7 +602,7 @@ + } else { + + puts "Couldn't determine where the ossec_agent.tcl config file is" +- puts "Looked for /etc/ossec_agent.conf and ./ossec_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/ossec_agent.conf and ./ossec_agent.conf." + DisplayUsage $argv0 + + } Index: files/patch-pads_agent.tcl =================================================================== --- files/patch-pads_agent.tcl (revision 0) +++ files/patch-pads_agent.tcl (working copy) @@ -0,0 +1,39 @@ +--- pads_agent.tcl.orig 2012-12-19 21:25:26.000000000 +0000 ++++ pads_agent.tcl 2012-12-19 21:27:37.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: pads_agent.tcl,v 1.13 2011/02/17 02:55:48 bamm Exp $ # + +@@ -332,7 +330,7 @@ + id process group set + if {[fork]} {exit 0} + set PID [id process] +- if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" } ++ if { ![info exists PID_FILE] } { set PID_FILE "/var/run/pads_agent.pid" } + set PID_DIR [file dirname $PID_FILE] + if { ![file exists $PID_DIR] || ![file isdirectory $PID_DIR] || ![file writable $PID_DIR] } { + puts "ERROR: Directory $PID_DIR does not exists or is not writable." +@@ -380,16 +378,16 @@ + } + } + # Parse the config file here +-# Default location is /etc/pads_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/pads_agent.conf or pwd + if { ![info exists CONF_FILE] } { + # No conf file specified check the defaults +- if { [file exists /etc/pads_agent.conf] } { +- set CONF_FILE /etc/pads_agent.conf ++ if { [file exists /usr/local/etc/sguil-sensor/pads_agent.conf] } { ++ set CONF_FILE /usr/local/etc/sguil-sensor/pads_agent.conf + } elseif { [file exists ./pads_agent.conf] } { + set CONF_FILE ./pads_agent.conf + } else { + puts "Couldn't determine where the sensor_agent.tcl config file is" +- puts "Looked for /etc/pads_agent.conf and ./pads_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/pads_agent.conf and ./pads_agent.conf." + DisplayUsage $argv0 + } + } Index: files/patch-pcap_agent-sancp.tcl =================================================================== --- files/patch-pcap_agent-sancp.tcl (revision 0) +++ files/patch-pcap_agent-sancp.tcl (working copy) @@ -0,0 +1,35 @@ +--- pcap_agent-sancp.tcl.orig 2012-12-17 22:36:43.000000000 +0000 ++++ pcap_agent-sancp.tcl 2012-12-17 22:38:22.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: pcap_agent-sancp.tcl,v 1.2 2008/05/29 19:25:50 hanashi Exp $ # + +@@ -754,13 +752,13 @@ + } + + # Parse the config file here +-# Default location is /etc/pcap_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/pcap_agent.conf or pwd + if { ![info exists CONF_FILE] } { + + # No conf file specified check the defaults +- if { [file exists /etc/pcap_agent.conf] } { ++ if { [file exists /usr/local/etc/sguil-sensor/pcap_agent.conf] } { + +- set CONF_FILE /etc/pcap_agent.conf ++ set CONF_FILE /usr/local/etc/sguil-sensor/pcap_agent.conf + + } elseif { [file exists ./pcap_agent.conf] } { + +@@ -769,7 +767,7 @@ + } else { + + puts "Couldn't determine where the pcap_agent.tcl config file is" +- puts "Looked for /etc/pcap_agent.conf and ./pcap_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/pcap_agent.conf and ./pcap_agent.conf." + DisplayUsage $argv0 + + } Index: files/patch-pcap_agent.tcl =================================================================== --- files/patch-pcap_agent.tcl (revision 0) +++ files/patch-pcap_agent.tcl (working copy) @@ -0,0 +1,35 @@ +--- pcap_agent.tcl.orig 2012-12-17 22:31:44.000000000 +0000 ++++ pcap_agent.tcl 2012-12-17 22:42:50.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: pcap_agent.tcl,v 1.13 2011/03/10 22:03:33 bamm Exp $ # + +@@ -771,13 +769,13 @@ + } + + # Parse the config file here +-# Default location is /etc/pcap_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/pcap_agent.conf or pwd + if { ![info exists CONF_FILE] } { + + # No conf file specified check the defaults +- if { [file exists /etc/pcap_agent.conf] } { ++ if { [file exists /usr/local/etc/sguil-sensor/pcap_agent.conf] } { + +- set CONF_FILE /etc/pcap_agent.conf ++ set CONF_FILE /usr/local/etc/sguil-sensor/pcap_agent.conf + + } elseif { [file exists ./pcap_agent.conf] } { + +@@ -786,7 +784,7 @@ + } else { + + puts "Couldn't determine where the pcap_agent.tcl config file is" +- puts "Looked for /etc/pcap_agent.conf and ./pcap_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/pcap_agent.conf and ./pcap_agent.conf." + DisplayUsage $argv0 + + } Index: files/patch-sancp_agent.tcl =================================================================== --- files/patch-sancp_agent.tcl (revision 0) +++ files/patch-sancp_agent.tcl (working copy) @@ -0,0 +1,30 @@ +--- sancp_agent.tcl.orig 2012-12-17 22:43:39.000000000 +0000 ++++ sancp_agent.tcl 2012-12-17 22:44:56.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: sancp_agent.tcl,v 1.15 2011/03/10 22:03:33 bamm Exp $ # + +@@ -582,16 +580,16 @@ + } + } + # Parse the config file here +-# Default location is /etc/sancp_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/sancp_agent.conf or pwd + if { ![info exists CONF_FILE] } { + # No conf file specified check the defaults +- if { [file exists /etc/sancp_agent.conf] } { +- set CONF_FILE /etc/sancp_agent.conf ++ if { [file exists /usr/local/etc/sguil-sensor/sancp_agent.conf] } { ++ set CONF_FILE /usr/local/etc/sguil-sensor/sancp_agent.conf + } elseif { [file exists ./sancp_agent.conf] } { + set CONF_FILE ./sancp_agent.conf + } else { + puts "Couldn't determine where the sancp_agent.tcl config file is" +- puts "Looked for /etc/sancp_agent.conf and ./sancp_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/sancp_agent.conf and ./sancp_agent.conf." + DisplayUsage $argv0 + } + } Index: files/patch-snort_agent.tcl =================================================================== --- files/patch-snort_agent.tcl (revision 0) +++ files/patch-snort_agent.tcl (working copy) @@ -0,0 +1,35 @@ +--- snort_agent.tcl.orig 2012-12-17 22:33:35.000000000 +0000 ++++ snort_agent.tcl 2012-12-17 22:39:39.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: snort_agent.tcl,v 1.9 2011/02/17 02:55:48 bamm Exp $ # + +@@ -680,13 +678,13 @@ + } + + # Parse the config file here +-# Default location is /etc/snort_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/snort_agent.conf or pwd + if { ![info exists CONF_FILE] } { + + # No conf file specified check the defaults +- if { [file exists /etc/snort_agent.conf] } { ++ if { [file exists /usr/local/etc/sguil-sensor/snort_agent.conf] } { + +- set CONF_FILE /etc/snort_agent.conf ++ set CONF_FILE /usr/local/etc/sguil-sensor/snort_agent.conf + + } elseif { [file exists ./snort_agent.conf] } { + +@@ -695,7 +693,7 @@ + } else { + + puts "Couldn't determine where the snort_agent.tcl config file is" +- puts "Looked for /etc/snort_agent.conf and ./snort_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/snort_agent.conf and ./snort_agent.conf." + DisplayUsage $argv0 + + } Index: files/pcap_agent-sancp.in =================================================================== --- files/pcap_agent-sancp.in (revision 0) +++ files/pcap_agent-sancp.in (working copy) @@ -0,0 +1,32 @@ +#!/bin/sh + +# $FreeBSD: head/security/sguil-sensor/files/pcap_agent-sancp.in 302141 2012-08-05 23:19:36Z dougb $ + +# PROVIDE: pcap_agent-sancp +# REQUIRE: DAEMON +# KEYWORD: shutdown + +# Add the following line to /etc/rc.conf to enable pcap_agent-sancp: +# pcap_agent-sancp_enable (bool): Set to YES to enable pcap_agent-sancp +# Default: NO +# pcap_agent-sancp_conf (str): Pads_agent configuration file +# Default: %%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent-sancp.conf +# pcap_agent-sancp_flags (str): Default: -D +# + +. /etc/rc.subr + +name="pcap_agent-sancp" +rcvar=pcap_agent-sancp_enable +load_rc_config pcap_agent-sancp + +#set defaults +: ${pcap_agent-sancp_enable:="NO"} +: ${pcap_agent-sancp_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent-sancp.conf"} +: ${pcap_agent-sancp_flags:="-D -c ${pcap_agent-sancp_conf}"} + +command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent-sancp.tcl" +procname="%%PREFIX%%/bin/%%TCLSH%%" +pidfile="/var/run/${name}.pid" + +run_rc_command "$1" Index: files/pcap_agent.in =================================================================== --- files/pcap_agent.in (revision 309313) +++ files/pcap_agent.in (working copy) @@ -16,19 +16,17 @@ . /etc/rc.subr +name="pcap_agent" +rcvar=pcap_agent_enable load_rc_config pcap_agent #set defaults -pcap_agent_enable=${pcap_agent_enable:-"NO"} -pcap_agent_conf=${pcap_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent.conf"} -pcap_agent_flags=${pcap_agent_flags:-"-D"} +: ${pcap_agent_enable:="NO"} +: ${pcap_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent.conf"} +: ${pcap_agent_flags:="-D -c ${pcap_agent_conf}"} -name="pcap_agent" -rcvar=pcap_agent_enable command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent.tcl" -command_args="-c ${pcap_agent_conf} ${pcap_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" +procname="%%PREFIX%%/bin/%%TCLSH%%" pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" run_rc_command "$1" Index: files/pkg-message.in =================================================================== --- files/pkg-message.in (revision 309313) +++ files/pkg-message.in (working copy) @@ -2,13 +2,11 @@ * !!!!!!!!!!! WARNING !!!!!!!!!!! * *********************************** -If you already had barnyard installed, this port will NOT deinstall -it and install the barnyard-sguil6 port instead. You will need to -deinstall the barnyard port and install the barnyard-sguil6 port yourself -instead. This port WILL NOT WORK without the barnyard-sguil6 port!! +If you already had barnyard2 installed, this port will NOT deinstall +it and install the barnyard2-sguil port instead. You will need to +deinstall the barnyard2 port and install the barnyard2-sguil port yourself +instead. This port WILL NOT WORK without the barnyard2-sguil port!! -You MUST edit the log_packets.conf file (located in %%PREFIX%%/etc/%%SGUILDIR%%) -to fit your configuration before running the log_packets.sh script. See the %%DOCSDIR%%/INSTALL doc for details on the configuration and for croning the script. @@ -16,13 +14,18 @@ quickly. You should probably configure sguil et al to log to another partition/location (e.g. /nsm/tmp/). -You must ALSO edit all of the sensor conf fileis (located in +You must ALSO edit all of the sensor conf files (located in %%PREFIX%%/%%SGUILDIR%%/etc/) to reflect your configuration before starting the sensor_agents. +A number of ancilliary things have been installed in +%%PREFIX%%/share/%%SGUILDIR%%. + If you chose to run sancp, and you already had a sancp.conf file in %%PREFIX%%/etc, copy it to sancp.conf.orig before creating the new one. -The new sancp.conf-sample file contains the settings for squil. -If you still want to maintain the customized sancp.conf file, then copy -the new sancp.conf-sample file to sguild-sancp.conf (for example) and -add sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf. +The new sancp.conf-sample file contains the settings for squil. NOTE: +the conf file is for sancp 1.5.3. It may need additional edits to work +with the current ports version of sancp. If you still want to maintain +the customized sancp.conf file, then copy the new sancp.conf-sample +file to sguild-sancp.conf (for example) and add +sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf. Index: files/sancp_agent.in =================================================================== --- files/sancp_agent.in (revision 309313) +++ files/sancp_agent.in (working copy) @@ -16,19 +16,17 @@ . /etc/rc.subr +name="sancp_agent" +rcvar=sancp_agent_enable load_rc_config sancp_agent #set defaults -sancp_agent_enable=${sancp_agent_enable:-"NO"} -sancp_agent_conf=${sancp_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/sancp_agent.conf"} -sancp_agent_flags=${sancp_agent_flags:-"-D"} +: ${sancp_agent_enable:="NO"} +: ${sancp_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/sancp_agent.conf"} +: ${sancp_agent_flags:="-D -c ${sancp_agent_conf}"} -name="sancp_agent" -rcvar=sancp_agent_enable command="%%PREFIX%%/bin/%%SGUILDIR%%/sancp_agent.tcl" -command_args="-c ${sancp_agent_conf} ${sancp_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" +procname="%%PREFIX%%/bin/%%TCLSH%%" pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" run_rc_command "$1" Index: files/snort_agent.in =================================================================== --- files/snort_agent.in (revision 309313) +++ files/snort_agent.in (working copy) @@ -16,19 +16,17 @@ . /etc/rc.subr +name="snort_agent" +rcvar=snort_agent_enable load_rc_config snort_agent #set defaults -snort_agent_enable=${snort_agent_enable:-"NO"} -snort_agent_conf=${snort_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/snort_agent.conf"} -snort_agent_flags=${snort_agent_flags:-"-D"} +: ${snort_agent_enable:="NO"} +: ${snort_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/snort_agent.conf"} +: ${snort_agent_flags:="-D -c ${snort_agent_conf}"} -name="snort_agent" -rcvar=snort_agent_enable command="%%PREFIX%%/bin/%%SGUILDIR%%/snort_agent.tcl" -command_args="-c ${snort_agent_conf} ${snort_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" +procname="%%PREFIX%%/bin/%%TCLSH%%" pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" run_rc_command "$1" Index: pkg-descr =================================================================== --- pkg-descr (revision 309313) +++ pkg-descr (working copy) @@ -4,7 +4,7 @@ (www.tcl.tk). Sguil also relies on other open source software in order to function properly. -The sensor list includes security/barnyard, security/snort, +The sensor list includes security/barnyard2-sguil, security/snort, security/sancp, net-mgmt/pads, tcpdump (a part of the OS) and devel/tcltls as well as lang/tcl84 and lang/tclX. Care has been taken to ensure that everything you need to build @@ -15,4 +15,3 @@ rule management capabilities. WWW: http://sguil.sourceforge.net/index.php -pauls@utdallas.edu Index: pkg-plist =================================================================== --- pkg-plist (revision 309313) +++ pkg-plist (working copy) @@ -1,15 +1,41 @@ +bin/%%SGUILDIR%%/log_packets-daemonlogger.sh bin/%%SGUILDIR%%/log_packets.sh -bin/%%SGUILDIR%%/example_agent.tcl bin/%%SGUILDIR%%/pcap_agent.tcl bin/%%SGUILDIR%%/snort_agent.tcl -etc/%%SGUILDIR%%/example_agent.conf-sample etc/%%SGUILDIR%%/pcap_agent.conf-sample etc/%%SGUILDIR%%/snort_agent.conf-sample -etc/%%SGUILDIR%%/log_packets.conf-sample +%%DOCSDIR%%/CHANGES +%%DOCSDIR%%/FAQ +%%DOCSDIR%%/INSTALL +%%DOCSDIR%%/INSTALL.openbsd +%%DOCSDIR%%/OPENSSL.README +%%DOCSDIR%%/README +%%DOCSDIR%%/README.daemonlogger +%%DOCSDIR%%/TODO +%%DOCSDIR%%/UPGRADE +%%DOCSDIR%%/USAGE +%%DOCSDIR%%/sguildb.dia +share/%%SGUILDIR%%/contrib/ossec_agent/README +share/%%SGUILDIR%%/contrib/ossec_agent/ossec_agent.conf +share/%%SGUILDIR%%/contrib/ossec_agent/ossec_agent.tcl +share/%%SGUILDIR%%/contrib/portscan_loader/Makefile +share/%%SGUILDIR%%/contrib/portscan_loader/portscan_loader.c +share/%%SGUILDIR%%/init/sensoragent %%USEPADS%%bin/%%SGUILDIR%%/pads_agent.tcl %%USEPADS%%etc/%%SGUILDIR%%/pads_agent.conf-sample -%%USESANCP%%etc/sancp.conf-sample +%%USESANCP%%bin/%%SGUILDIR%%/log_packets-sancp.sh +%%USESANCP%%bin/%%SGUILDIR%%/pcap_agent-sancp.tcl %%USESANCP%%bin/%%SGUILDIR%%/sancp_agent.tcl %%USESANCP%%etc/%%SGUILDIR%%/sancp_agent.conf-sample +%%USESANCP%%etc/%%SGUILDIR%%/sancp-indexed.conf-sample +%%USESANCP%%etc/%%SGUILDIR%%/pcap_agent-sancp.conf-sample +%%USESANCP%%etc/%%SGUILDIR%%/sancp.conf-sample +%%USESANCP%%%%DOCSDIR%%/README.sancp_indexed_pcap +@dirrm share/%%SGUILDIR%%/init +@dirrm share/%%SGUILDIR%%/contrib/portscan_loader +@dirrm share/%%SGUILDIR%%/contrib/ossec_agent +@dirrm share/%%SGUILDIR%%/contrib +@dirrm share/%%SGUILDIR%% +@dirrmtry etc/%%SGUILDIR%% @dirrm bin/%%SGUILDIR%% -@dirrmtry etc/%%SGUILDIR%% +@dirrm %%DOCSDIR%% --- sguil-sensor.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121220154117.B36A3DCA82A>